Force Google Account Selection on every login

davidmw

We have users with multiple google accounts (private and school accounts, for example).

Some users will mistakenly connect on a private account, which isn't registered with us. FusionAuth automatically creates the account, but user doesn't get registered for our apps that way. So we bounce them out, returning them to our splash page.

Then they try to login again and this time they fall into our app, by-passing the Google account selection screen. The wrong Google account is still active and they get bounced. No easy way to get out of this mess, short of going to a Google site in the browser and logging out.

I'm thinking that perhaps we need to always show the Google account selection screen. For the record we aren't using the canned Google IdP but we've created two (managed and unmanaged) using OpenID. Google docs suggest that prompt=select_account can be passed on the OAuth2 authorization URL. Is there a way to specify options that should be used for each IdP? https://developers.google.com/identity/protocols/oauth2/openid-connect#prompt

dan

Have you seen the idp_hint and login_hint parameters?

They are documented here: https://fusionauth.io/docs/v1/tech/identity-providers/#hints

They don't work for the canned google provider but should work for OIDC providers (and it seems that is what you are using).

Will using these parameters solve the problem?

davidmw

Afraid not. This isn't an issue of selecting the right IdP for the user or an issue of wanting to skip FusionAuth login screen .

Once control is passed to Google - I need to ensure that Google prompts the user for Google Account selection. I can't have Google assuming that the user wants to authenticate using the active Google Account - it needs to ask.

dan

Ah, ok, sorry for misunderstanding what you are trying to accomplish.

There's no standard way of appending additional information to the idp request in FusionAuth. I think it might make sense to add that ability, but that'd be a feature request, to be prioritized along with the other work: https://github.com/fusionauth/fusionauth-issues/issues

As a workaround, this might work.

Can you add uncheck Discover endpoints in the FusionAuth OIDC Identity Provider configuration, and then append prompt=consent or ?prompt=consent to the authorization and token URLs? Then test to see if Google is receiving the additional authentication URI parameters?

davidmw

Thanks Dan - the manual endpoint configuration did the trick. I put the parameter on the authorization URL.

David

dan

Added this as a feature request: https://github.com/FusionAuth/fusionauth-issues/issues/1041